On Thu, Apr 15, 2010 at 11:52 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote: > >> I don't find anywhere in TLS documentation how to make postfix respect a crl >> so that client's whose certs have been revoked cannot use the submission >> server. > > The supported model for submission servers that use client certs is to > list all supported fingerprints in a table. With fingerprint security, > you don't need CRLs. Alternatively, you can extract all the revoked > certs from the CRL, and use check_ccert_access to deny access, while > allowing everyone else signed by the CA. >
Thanks. I am already doing this. I just thought there might be a more standard way with crl because I am using the same CA file for both dovecot and postfix and dovecot supports crl.
